Quantifying the value of cyber defenses as some companies look to cut costs amid COVID.
Cybersecurity is a major concern for NeuGroup member companies, and the pandemic has forced them to pay more attention to the risks of having so many people in finance roles working from home as the push for accelerated automation and digitalization grows.
- At the same time, COVID-19 has also pushed companies to tighten their belts. But cutting spending on cyber defenses looks like a potentially costly mistake.
Return on investment. A recent survey of more than 1,000 companies globally by ESI ThoughtLab found that investing in cyber defenses provides double-digit returns on investment (ROI)—179% on average. The ROI analysis is based on how cybersecurity investments change a firm’s expected losses.
- Training and improving staff skills, recruiting specialists and appropriately compensating cybersecurity staff provided the biggest bang for the buck, with an ROI of 271%.
- “One of the things we found from the study is that the investment in people results in the highest decline in the probability of a breach,” said Davis Hake, co-founder of Arceo.ai, which specializes in cyber-risk analytics, who was on the survey’s advisory board.
- The study found significant ROI from investments in cybersecurity-related processes and procedures (156%) and technology (129%).
Costs and COVID. Cybersecurity—like treasury—is often considered a cost center, so cost cuts may be imminent.
- The ESI study notes, “Our interviews during the pandemic show a divergence of views, with some companies, particularly those in hard-hit areas like retail and hospitality, expecting significant budget cuts, and others foreseeing increases to support more ambitious digital transformation plans.”
- Research firm Gartner recently estimated that companies’ spending on protecting their information from cyberattacks will increase by 2.4% in 2020, down significantly from the 8.7% growth it forecasted in December 2019, as a result of the pandemic.
The value of cyber insurance. Six in 10 respondents plan to spend more on cyber insurance over the next two years, the survey found. And of those firms most advanced in cybersecurity effectiveness and compliance—which ESI calls cybersecurity leaders—57% have coverage over $10 million, compared to 30% of non-leaders.
- Mr. Hake, who is also an adjunct professor of cyber-risk management at the University of California, Berkeley, said, “I talk to my students about this—when you you look at the price per dollar, insurance is one of the best investments you can make from a financial perspective.”
Cybersecurity leaders. ESI determined leaders by analyzing responding companies’ adherence to the NIST Cybersecurity Framework, success in thwarting actual cyberattacks, and the Verizon Business Cyber Risk Monitoring Tool, based on publicly available data from Bitsight and Verizon’s own data breach investigations.
- Only 64 of 151 companies classified as leaders in NIST compliance are advanced in cybersecurity effectiveness, the survey found, while leaders adapt the framework to business goals, strategies and the company’s individual risk profile.
- Leaders make cybersecurity hygiene a top priority and do more frequent backup restoration drills.
- Leaders are more likely to make cybersecurity a shared responsibility, often between the CIO and CISO, and they report to the CEO, COO or the board.
- Eight out of 10 leading companies conduct cyber-risk scenario analysis, assess the financial impact of risk events, and measure the impact of mechanisms to mitigate risk.